The Algorithmic Underwriting Audit: What NAIC AI Requirements Mean for Every Insurer Using AI in Pricing and Claims
State insurance regulators have moved. The NAIC Model Bulletin on AI has been adopted or is under active consideration in 38+ states. Colorado SB 21-169 mandates external algorithmic audits for life insurance AI — effective January 1, 2023. California CDI has directly challenged AI-generated property risk scores. Lemonade, Tractable, CCC Intelligent Solutions, Shift Technology, and ZestyAI are handling claims assessments, fraud detection, and underwriting decisions at scale — at carriers that have not built the governance documentation regulators are now requiring.
Key Numbers
Background
The AI deployment wave in insurance happened faster than the governance frameworks that were supposed to govern it. Between 2019 and 2024, carriers deployed AI across the claims and underwriting stack — damage assessment, fraud detection, property risk scoring, subrogation recovery, customer triage — driven by vendor sales cycles, competitive pressure, and the demonstrable efficiency gains available in high-volume, rules-intensive workflows. The regulatory framework was not ready. It is now catching up, retroactively, to deployments that are already live.
The National Association of Insurance Commissioners (NAIC) adopted its Model Bulletin on the Use of Artificial Intelligence Systems by Insurers in December 2023. The bulletin is not a model law — it does not automatically become enforceable — but it signals to every state insurance department the framework that regulators consider appropriate for AI governance in insurance. As of mid-2026, 38 or more states have adopted the bulletin or issued substantially similar guidance. The core requirements: insurers must have a written AI governance framework, ensure AI systems do not produce unfairly discriminatory outcomes, conduct testing and validation, maintain documentation, and be able to respond to regulatory inquiries about specific AI deployments. These are not aspirational guidelines. State commissioners are beginning to use them as the basis for market conduct examination.
Colorado moved further and faster than the NAIC. Colorado SB 21-169, signed into law in June 2021 and effective January 1, 2023, requires life insurers that use external consumer data or algorithms in underwriting to test those algorithms annually for unfair discrimination based on race, color, national or ethnic origin, religion, sex, and sexual orientation — including through proxy variables. The testing must be conducted by an external auditor. Carriers that used AI in Colorado life underwriting on January 1, 2023 needed an external audit completed and on file. Most did not have one.
California took a different path but arrived at the same destination. The California Department of Insurance (CDI) did not pass a statute — it used existing unfair discrimination authority to challenge specific AI deployments. In 2023, CDI issued inquiry letters to several carriers using ZestyAI property risk scores in homeowners underwriting. ZestyAI uses satellite imagery and machine learning to generate property risk scores for wildfire, hail, and wind exposure. The CDI challenge was not that the tool was inaccurate — it was that carriers could not produce documentation demonstrating that the AI-generated scores did not function as proxies for race, ethnicity, or ZIP code in ways that would constitute unfair discrimination under California Insurance Code Section 1861.05. The carriers could not produce that documentation because the tools had been deployed without it.
The vendor layer running under insurer AI creates a governance gap that most carriers have not addressed. Tractable — an AI platform for auto and property damage assessment deployed at Allstate, Covéa, and Suncorp — generates damage assessments and total-loss recommendations from photos. CCC Intelligent Solutions processes approximately 70 percent of U.S. auto claims; its AI-generated repair cost estimates establish the baseline that insurers and claimants negotiate from. Shift Technology provides AI fraud detection used at more than 100 insurers globally. Lemonade's AI “Jim” handles property and renters claims autonomously — with some claims approved in three seconds, end-to-end, without human review. In each case, the insurer is the regulated entity. The vendor's AI is a third-party tool. The regulatory obligation for the outputs — governance, fairness testing, documentation — belongs to the insurer, not the vendor.
The Illinois Artificial Intelligence Video Interview Act (2019), the Colorado law, and emerging legislation in Connecticut, New York, and Massachusetts share a structural feature: they place the compliance obligation on the entity deploying the AI, not the entity that built it. A carrier cannot satisfy a state regulator's request for algorithmic fairness documentation by pointing to its vendor agreement with CCC or Tractable. The regulator is asking what the carrier knows about the output and how the carrier tested it. For tools that process millions of claims, that obligation has significant operational implications that most insurer AI governance teams are not currently resourced to meet.
Decision Required
For each AI tool in your underwriting, pricing, and claims stack: which state regulatory requirements apply to it — and do you have the documentation those requirements demand?
Most insurance carriers that have deployed AI in claims and underwriting have done so through a procurement process that reviewed vendor capabilities, pricing, and integration requirements. The regulatory assessment — which state statutes and department bulletins apply to this tool, what testing is required, what documentation must be maintained — was either deferred or delegated to the vendor. State regulators are now asking for that documentation, and the carriers that do not have it are discovering the gap in the context of a market conduct examination or a rate filing challenge, not in advance of one.
The Colorado requirement is the clearest near-term compliance obligation. If your carrier writes life insurance in Colorado and uses any form of external consumer data or algorithmic underwriting — which includes most modern life underwriting systems — the annual external audit requirement under SB 21-169 has applied since January 1, 2023. If that audit has not been completed, the compliance gap has been running for more than two years. The California CDI situation is a forward-looking risk: CDI has demonstrated willingness to challenge AI-generated property risk scores on unfair discrimination grounds. Any carrier using AI-based property risk assessment in California homeowners underwriting should assume CDI could make the same inquiry of their specific deployment.
The harder question is not which regulatory requirement applies. The harder question is whether your carrier's AI governance function has the authority, capacity, and documentation to respond to a state regulator inquiry within a reasonable timeframe. State market conduct examinations increasingly include AI-specific information requests. A carrier that cannot produce an inventory of AI tools used in underwriting and claims, with governance documentation for each, within 72 hours of a regulatory request is not failing a compliance requirement that was unclear. It is failing a documentation obligation that has been signaled for three years.
Options
Maintain current AI deployments with existing vendor agreements and documentation. Wait for a regulatory inquiry, rate challenge, or market conduct examination before conducting a comprehensive compliance review. This posture assumes that near-term regulatory enforcement will focus on the most egregious cases and that proactive compliance investment is not worth the cost absent a specific trigger. The risk: Colorado SB 21-169 has a specific audit requirement with a specific effective date. California CDI has demonstrated it will challenge specific AI deployments. A market conduct examination that surfaces an undocumented AI system in underwriting generates a finding that is materially more difficult and expensive to remediate than a proactive compliance posture. For carriers writing significant premium in Colorado, California, or Illinois, this posture accepts documented compliance risk.
Conduct a comprehensive AI system inventory across underwriting, pricing, and claims. For each tool: document the AI governance framework, conduct or commission fairness testing using protected class proxy variables, establish monitoring protocols, and build the documentation package that would respond to a state regulator inquiry. For Colorado: commission the external algorithmic audit required under SB 21-169 for in-scope life underwriting systems. For California: assess ZestyAI and comparable property risk score tools against CDI unfair discrimination standards before the next rate filing. This is the defensible compliance posture under current regulatory guidance. It does not require resolving every ambiguity in state law — it requires building a documentation record that demonstrates governance proportionate to the regulatory framework that has been issued.
Suspend AI tools in underwriting and pricing — the highest-regulatory-risk categories — while legal and compliance complete a state-by-state assessment of which laws apply and what they require. Maintain AI in internal workflow tools and claims fraud detection pending the review. This posture eliminates forward-looking regulatory risk from new AI deployments but does not address retroactive exposure from deployments already live. It is appropriate for carriers that have not yet deployed AI extensively in underwriting and pricing, and where the cost of pausing is lower than the regulatory risk of proceeding without documentation. For carriers with AI already deeply embedded in underwriting workflows, operational disruption makes this posture difficult to execute.
Commission an external algorithmic fairness audit for AI systems in underwriting and pricing before submitting the next rate filing in Colorado, California, or Illinois. Use the audit findings to build the documentation record, identify and remediate fairness gaps, and demonstrate to regulators that the carrier has conducted the testing the regulatory framework requires. This posture is appropriate for carriers that use AI in underwriting and write significant premium in states with active AI regulatory frameworks. It does not address the NAIC Model Bulletin governance requirement comprehensively — documentation, monitoring, and incident response — but it addresses the highest near-term regulatory risk: a rate challenge that surfaces an unaudited AI system.
Recommendation
Build the AI system inventory before the regulator asks for it. The carriers that have been most exposed in California CDI and Colorado examinations share one characteristic: they deployed AI through a procurement process that did not include a compliance assessment, and they do not have documentation of the deployment decision — what the tool does, what data it uses, what outputs it produces, and what testing was conducted before it went live. That documentation is what regulators are asking for. Building it retroactively, under regulatory pressure, is three times as expensive and produces worse outcomes than building it at deployment.
The Colorado external audit obligation is not optional. If your carrier writes life insurance in Colorado and uses external consumer data or algorithms in underwriting — which includes credit scoring, third-party data appends, telematics, accelerated underwriting engines, and AI-generated risk scores — the annual external audit requirement under SB 21-169 applies. If that audit has not been completed since the January 1, 2023 effective date, your carrier has a documented compliance gap in a state that has demonstrated enforcement intent. Engage an accredited algorithmic auditor with insurance-specific experience. The audit scope should cover the protected class characteristics specified in SB 21-169 and the proxy variable testing methodology Colorado Division of Insurance guidance has outlined.
For California, the lesson from the CDI ZestyAI scrutiny is not that property risk scoring AI is impermissible. It is that carriers cannot deploy AI-generated risk scores in rate filings without the documentation to demonstrate those scores do not function as proxies for race, ethnicity, geography, or other factors prohibited under California Insurance Code. If your homeowners or auto underwriting uses AI-generated property risk scores — from ZestyAI, Verisk, or any comparable vendor — commission the fairness analysis before CDI asks for it. The CDI has indicated it will continue examining AI in rate filings. Carriers that have the documentation will resolve those inquiries faster and with less disruption than carriers that do not.
Do not rely on your vendor's compliance documentation to satisfy your regulatory obligation. CCC Intelligent Solutions, Tractable, Shift Technology, and ZestyAI each have their own governance frameworks and documentation. That documentation is relevant — but it does not substitute for the carrier's independent obligation. The regulator is asking what the carrier knows about the AI system's outputs and how the carrier tested them. A vendor data sheet is not a carrier compliance document. The insurer deploying the tool is responsible for knowing what the tool does to its customers, in its specific deployment context, with its specific data inputs.
Assign a named AI governance owner with authority over underwriting and claims. The compliance gap in most carriers is not a lack of awareness that regulatory requirements exist — it is a lack of clear ownership for the cross-functional work of documenting, testing, and monitoring AI systems across the underwriting and claims organization. Actuarial, claims, IT, legal, and compliance all touch the problem but none of them owns it completely. A named AI governance function — reporting to the CRO or Chief Compliance Officer, with authority to require documentation from business units before AI tools go live — is the organizational prerequisite for sustainable compliance with the NAIC bulletin and state-specific requirements.
Enjoying this brief? The next one ships Tuesday.
One enterprise AI deployment, dissected weekly. Free during beta · No credit card · Unsubscribe anytime
Risks
State insurance departments review rate filings for unfair discrimination. A filing that relies on AI-generated risk scores — property, life, auto — is increasingly subject to a regulatory request for the documentation of how that AI was tested for fairness. California CDI has issued exactly this type of inquiry. A carrier that submits a rate filing built on AI-generated inputs and cannot produce algorithmic fairness documentation when the department asks is facing a filing challenge that delays rate changes, generates regulatory findings, and creates public record of an undocumented AI deployment. Rate filing timelines are not forgiving of compliance document assembly under pressure.
Colorado SB 21-169 required annual external audits for life insurance AI starting January 1, 2023. Carriers that have been using algorithmic underwriting in Colorado life insurance since that date without completing the required external audit have accumulated multiple years of retroactive non-compliance. Colorado Division of Insurance enforcement is not hypothetical — the law has a specific requirement, a specific effective date, and a specific audit scope. A carrier that discovers this gap in the context of a market conduct examination is negotiating remediation under regulatory pressure with a documented record of non-compliance.
Tractable, CCC, ZestyAI, and Shift Technology are not regulated entities under state insurance law. The insurer deploying their tools is. When a state regulator challenges the fairness of a claims damage assessment, a property risk score, or a fraud detection decision — the carrier is the respondent. The carrier cannot substitute the vendor's documentation for its own. Most vendor agreements include representations about accuracy but not algorithmic fairness audits conducted to state-specific standards. Carriers that have not contractually required vendor fairness documentation — and have not independently tested vendor AI outputs for compliance — hold the regulatory exposure alone.
AI tools in claims and underwriting update continuously. CCC releases model updates. Tractable improves its damage assessment. ZestyAI adjusts its property risk algorithm. Each update changes the tool's output distribution — and the fairness testing that was done on version 1.0 does not carry forward to version 2.0. A carrier that conducted a fairness review at deployment and then accepted vendor updates without revalidation has a growing gap between its documented compliance posture and the actual behavior of the tool running in production. This gap is invisible until a regulator asks which version of the tool generated a specific underwriting decision and what the fairness analysis covers.
The NAIC Model Bulletin requires insurers to maintain AI governance documentation: what systems are deployed, what governance framework applies, what testing has been conducted, and how the insurer monitors for unfair outcomes. A market conduct examination in any of the 38+ states that have adopted the bulletin can include a request for that documentation. Most carriers do not have it organized in a form that would respond to such a request within a reasonable timeframe. The gap is not that the carriers were unaware of the bulletin — it is that the documentation obligation was not operationalized into a systematic governance function before state examiners began asking for it.
Questions Your Team Should Be Answering
These are the questions that distinguish organizations that get this right from those that do not. If your team cannot answer them, that is your first deliverable.
- 1.
For every state where your carrier writes business: has your legal and compliance team mapped which NAIC Model Bulletin adoptions and state AI statutes apply to your specific AI deployments in underwriting, pricing, and claims — and documented that assessment?
- 2.
For Colorado: has an external algorithmic audit been completed for every life insurance AI system in scope under SB 21-169? If not, which systems are unaudited, what is the coverage date, and what is the timeline for completing the required audit?
- 3.
For California: can your carrier produce algorithmic fairness documentation for AI-generated property or auto risk scores used in rate filings — demonstrating those scores do not function as proxies for race, ethnicity, or other prohibited characteristics under California Insurance Code Section 1861.05?
- 4.
For each third-party AI vendor (CCC, Tractable, ZestyAI, Shift Technology, or comparable): does your vendor agreement require the vendor to provide fairness audit documentation and notify you when the AI model updates? If not, what is your process for knowing when the tool you have tested is no longer the tool running in production?
- 5.
Can your carrier produce an AI system inventory for underwriting, pricing, and claims functions — with governance documentation for each — within 72 hours of a state regulator inquiry? Who would own that response, and has the process ever been tested?
- 6.
Who owns AI governance at your carrier — with the authority to require documentation from business units before an AI tool goes live, and the authority to halt a deployment pending regulatory assessment? If the answer is unclear, that is the first governance gap to close.
If this memo belongs in your next executive meeting or board pack, send it along. One click opens a pre-drafted email — edit or send as-is.
The ATO Bottleneck: What Federal Agencies Discover When AI Procurement Meets the Authorization Process
Federal agencies are deploying AI tools across procurement, benefits processing, and workforce operations — but the ATO process was written for static systems. FedRAMP authorizes cloud infrastructure, not AI behavior. Most frontier AI APIs lack FedRAMP authorization, and most federal ATOs are stale by the time the model updates.
Read memo →The SR 11-7 Blind Spot: What Banks Discover When AI Hits Model Risk Management
Banks are deploying AI in credit underwriting, fraud detection, compliance monitoring, and customer service — but SR 11-7, the OCC/Fed model risk framework, was written in 2011 for statistical models. The validation gap for third-party LLM APIs, the model version change management problem, and what bank examiners are beginning to ask.
Read memo →The Shop Floor AI Bet: What Siemens' Industrial Copilot at BMW Means for Every Manufacturing CIO
Siemens Industrial Copilot is live at BMW plants — reading PLC logs, generating maintenance recommendations in real time. The data portability clause your current contract doesn't include, the safety governance process your EHS team hasn't defined for AI-generated maintenance steps.
Read memo →